John Howard
John Howard
The gap here is (3). The proxy does not stop accepting inbound requests - it just tells clients to not re-use the connection for further requests (so it will, hopefully,...
Do you not run a validation webhook? ``` $ cat
I think you don't have `defaultRevision` set so it ends up not creating one that applies to objects without `istio.io/rev`. ``` $ ik manifest generate | kubectl grep Val*/ -s...
> maybe #52566 has fixed it Yes I think this did. We should work on a similar smaller patch for backport probably. Maybe @ilrudie or @MorrisLaw would be interested
> how can you make sure during upgrade, it is capatible for both client and server iwith different versions that's a good call, I only really consider older control plane...
Our current stance in this organization is to not use Github Actions. I don't mind running this check on a manual basis, and improving findings where they make sense, but...
Here is the report fwiw ``` RESULTS ------- Aggregate score: 7.0 / 10 Check scores: |---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION | |---------|------------------------|--------------------------------|-------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10...
Thanks for the detailed report! The "every connection is accepted" is definitely an area I would love to improve on. The challenge is Linux's tcp stack doesn't really give this...
In a perfect world the Linux APIs look roughly like so: ```rs let partial_socket = listener.partially_accept().await // get SYN but don't SYNACK let Ok(upstream) = TcpStream::connect(partial_socket.original_dst) else { partial_socket.reject() }...
This is not incorrect, how you are installing is. The istioctl binary embeds the Kubernetes manifests which are tightly coupled to a version. Overriding the tag to a different version...